REST API Authentication

The Zanox REST authentication implementation includes the connect ID, secured mhash key (signature) and the timestamp inside the HTTP Header. The REST Hash signature transmission is based onto the RFC2616 for HTTP Digest Access Authentication specifications. Alternatively, it is possible to provide the timestamp, nonce and signature as URL query parameters, without the header.

Public resources - auth with connect ID

For public resources, it is enough to provide the connect ID as query parameter:

Private resources - auth with signature

The actual building of the signature is taken from the RFC2104 specification. The signature is built by applying a keyed-HMAC (Hash Message Authentication Code) algorithm to the UTF-8 encoded StringToSign. The secret key has to be provided as a parameter to the keyed-HMAC method.

To successfully authenticate, connect ID, timestamp, nonce and signature have to be passed either as URL query parameters or as HTTP Headers. Please note that it is only necessary to do one or the other, you do not have to do both.

One thing to be aware of when authenticating with URL query parameters is that sometimes the signature will contain a + symbol, which will be interpreted by the browser as a space character. Therefore it is also necessary that you replace the + symbol with %2B in the signature string before submitting.

As headers, the authentication values must be set in the following way: